Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 24, 2025, 1:32 p.m.	March 24, 2025, 1:34 p.m.

Size	1.7MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`84408fe8f2675bd4b8eb6fae7dcaeffa`
SHA256	`78b08e1acf62ba41b2e41b76baeb269ec6550353fa6d7acd9518b769477696d3`
CRC32	`8ABDF723`
ssdeep	`24576:UQmtrdR+0HEMpcoKlCiCMO+fMyze0dDB1X61J+wUrj3kOE:Wu9SKlCzM6ce0dD3MJfQE`
Yara	themida_packer - themida packer PE_Header_Zero - PE File Signature IsPE32 - (no description) UPX_Zero - UPX packed file

advnrNo.exe "C:\Users\test22\AppData\Local\Temp\advnrNo.exe"
652

Name	Response	Post-Analysis Lookup
t.me	A 149.154.167.99	149.154.167.99
steamcommunity.com	A 104.76.74.15	104.76.74.15

IP Address	Status	Action
104.76.74.15	Active	Moloch
149.154.167.99	Active	Moloch
164.124.101.2	Active	Moloch
95.216.179.65	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 149.154.167.99:443 -> 192.168.56.103:49182	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49163 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49172 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49163 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49161 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49163 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49161 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49171 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49166 -> 104.76.74.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49171 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49161 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49171 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 149.154.167.99:443 -> 192.168.56.103:49164	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49191 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 149.154.167.99:443 -> 192.168.56.103:49173	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49191 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49191 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49195 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 95.216.179.65:443 -> 192.168.56.103:49169	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49195 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49175 -> 104.76.74.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49180 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49195 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49180 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49180 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 149.154.167.99:443 -> 192.168.56.103:49192	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49198 -> 104.76.74.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49194 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49194 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49194 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 149.154.167.99:443 -> 192.168.56.103:49196	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 95.216.179.65:443 -> 192.168.56.103:49201	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 149.154.167.99:443 -> 192.168.56.103:49205	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49172 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49203 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49203 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49212 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49212 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49181 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 95.216.179.65:443 -> 192.168.56.103:49210	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49181 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49203 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49181 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 95.216.179.65:443 -> 192.168.56.103:49232	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49225 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49225 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49235 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49235 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49225 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49235 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49184 -> 104.76.74.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 95.216.179.65:443 -> 192.168.56.103:49188	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49234 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49234 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49243 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49243 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49234 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49190 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49243 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49190 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49190 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 95.216.179.65:443 -> 192.168.56.103:49178	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49212 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 149.154.167.99:443 -> 192.168.56.103:49245	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 149.154.167.99:443 -> 192.168.56.103:49214	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49216 -> 104.76.74.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49247 -> 104.76.74.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49222 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49222 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49222 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49213 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 149.154.167.99:443 -> 192.168.56.103:49223	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49213 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49213 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49226 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49226 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49226 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49253 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49229 -> 104.76.74.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49253 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 149.154.167.99:443 -> 192.168.56.103:49236	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49204 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49238 -> 104.76.74.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49204 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 95.216.179.65:443 -> 192.168.56.103:49241	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49204 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49252 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49252 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49252 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49207 -> 104.76.74.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49257 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49257 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49244 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49244 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49257 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49256 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49244 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49256 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49244 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49256 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49253 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 149.154.167.99:443 -> 192.168.56.103:49258	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49221 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 149.154.167.99:443 -> 192.168.56.103:49254	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49221 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49269 -> 104.76.74.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49221 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49260 -> 104.76.74.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49265 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49265 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 149.154.167.99:443 -> 192.168.56.103:49267	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49265 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 95.216.179.65:443 -> 192.168.56.103:49281	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49275 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49275 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49275 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49283 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49283 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49283 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 149.154.167.99:443 -> 192.168.56.103:49276	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 95.216.179.65:443 -> 192.168.56.103:49263	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49284 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49284 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49284 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49266 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49266 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49266 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 149.154.167.99:443 -> 192.168.56.103:49285	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 95.216.179.65:443 -> 192.168.56.103:49219	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49278 -> 104.76.74.15:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49274 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49274 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 149.154.167.99:443 -> 192.168.56.103:49227	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49274 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 95.216.179.65:443 -> 192.168.56.103:49250	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 95.216.179.65:443 -> 192.168.56.103:49272	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49212 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49221 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49266 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49256 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49161 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49180 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49244 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49190 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49243 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49265 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49213 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49234 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49274 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49225 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49195 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49222 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49191 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49171 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49235 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49194 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49204 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49275 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49172 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49226 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49181 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49257 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49283 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49252 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49284 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49203 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49163 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49166 104.76.74.15:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	83:75:0b:54:d5:9e:34:40:6f:c2:2c:fc:be:5f:db:00:04:0d:d6:83
TLSv1 192.168.56.103:49175 104.76.74.15:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	83:75:0b:54:d5:9e:34:40:6f:c2:2c:fc:be:5f:db:00:04:0d:d6:83
TLSv1 192.168.56.103:49198 104.76.74.15:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	83:75:0b:54:d5:9e:34:40:6f:c2:2c:fc:be:5f:db:00:04:0d:d6:83
TLSv1 192.168.56.103:49184 104.76.74.15:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	83:75:0b:54:d5:9e:34:40:6f:c2:2c:fc:be:5f:db:00:04:0d:d6:83
TLSv1 192.168.56.103:49247 104.76.74.15:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	83:75:0b:54:d5:9e:34:40:6f:c2:2c:fc:be:5f:db:00:04:0d:d6:83
TLSv1 192.168.56.103:49216 104.76.74.15:443	None	None	None
TLSv1 192.168.56.103:49229 104.76.74.15:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	83:75:0b:54:d5:9e:34:40:6f:c2:2c:fc:be:5f:db:00:04:0d:d6:83
TLSv1 192.168.56.103:49238 104.76.74.15:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	83:75:0b:54:d5:9e:34:40:6f:c2:2c:fc:be:5f:db:00:04:0d:d6:83
TLSv1 192.168.56.103:49207 104.76.74.15:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	83:75:0b:54:d5:9e:34:40:6f:c2:2c:fc:be:5f:db:00:04:0d:d6:83
TLSv1 192.168.56.103:49269 104.76.74.15:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	83:75:0b:54:d5:9e:34:40:6f:c2:2c:fc:be:5f:db:00:04:0d:d6:83
TLSv1 192.168.56.103:49260 104.76.74.15:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	83:75:0b:54:d5:9e:34:40:6f:c2:2c:fc:be:5f:db:00:04:0d:d6:83
TLSv1 192.168.56.103:49278 104.76.74.15:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	83:75:0b:54:d5:9e:34:40:6f:c2:2c:fc:be:5f:db:00:04:0d:d6:83

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW March 24, 2025, 1:32 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (50 out of 59 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 24, 2025, 1:32 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:32 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:32 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:32 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:32 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:32 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:32 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:32 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:32 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:32 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:32 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:32 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:32 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:32 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:32 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:32 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:32 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:32 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:32 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:33 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:33 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:33 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:33 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:33 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:33 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:33 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:33 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:33 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:33 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:33 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:33 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:33 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:33 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:33 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:33 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:33 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:33 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:33 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:33 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:33 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:33 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:33 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:33 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:33 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:33 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:33 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:33 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:33 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:34 p.m.			0	0
IsDebuggerPresent March 24, 2025, 1:34 p.m.			0	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (6 events)

section	\x00
section	.idata
section
section	ycjszivj
section	nspidvfq
section	.taggant

One or more processes crashed (50 out of 123 events)

Time & API	Arguments	Status
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: fb e9 4e 01 00 00 60 8b 74 24 24 8b 7c 24 28 fc exception.symbol: advnrno+0x2c50b9 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 2904249 exception.address: 0x6c50b9 registers.esp: 1638276 registers.edi: 0 registers.eax: 1 registers.ebp: 1638292 registers.edx: 8798208 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb e9 d2 ff ff ff 51 b9 62 ab c4 5f 81 f1 95 65 exception.symbol: advnrno+0x2b494 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 177300 exception.address: 0x42b494 registers.esp: 1638244 registers.edi: 1971192040 registers.eax: 27551 registers.ebp: 3994390548 registers.edx: 4194304 registers.ebx: 4369405 registers.esi: 3 registers.ecx: 4397428	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 51 89 34 24 89 3c 24 bf 46 ba bc 6f 81 ef 28 exception.symbol: advnrno+0x2b15f exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 176479 exception.address: 0x42b15f registers.esp: 1638244 registers.edi: 1971192040 registers.eax: 0 registers.ebp: 3994390548 registers.edx: 4194304 registers.ebx: 4369405 registers.esi: 233705 registers.ecx: 4372592	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb e9 eb fb ff ff 55 81 ec 04 00 00 00 89 3c 24 exception.symbol: advnrno+0x2c713 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 182035 exception.address: 0x42c713 registers.esp: 1638240 registers.edi: 1971192040 registers.eax: 27213 registers.ebp: 3994390548 registers.edx: 4194304 registers.ebx: 1976775541 registers.esi: 4373866 registers.ecx: 1706154962	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 56 e9 a2 f9 ff ff 5c e9 3a fa ff ff 83 c4 04 exception.symbol: advnrno+0x2c7ad exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 182189 exception.address: 0x42c7ad registers.esp: 1638244 registers.edi: 1971192040 registers.eax: 27213 registers.ebp: 3994390548 registers.edx: 4194304 registers.ebx: 1976775541 registers.esi: 4401079 registers.ecx: 1706154962	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 2c 24 68 1d 46 f3 7b 5d exception.symbol: advnrno+0x2c1ac exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 180652 exception.address: 0x42c1ac registers.esp: 1638244 registers.edi: 1259 registers.eax: 27213 registers.ebp: 3994390548 registers.edx: 4194304 registers.ebx: 1976775541 registers.esi: 4401079 registers.ecx: 4294942792	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 0c 24 68 94 fb 7a 3f e9 8c f8 ff exception.symbol: advnrno+0x1afe17 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 1768983 exception.address: 0x5afe17 registers.esp: 1638244 registers.edi: 251881 registers.eax: 5963879 registers.ebp: 3994390548 registers.edx: 2130566132 registers.ebx: 59376522 registers.esi: 0 registers.ecx: 906	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb e9 46 fa ff ff 31 c3 81 ec 04 00 00 00 89 0c exception.symbol: advnrno+0x1b14f3 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 1774835 exception.address: 0x5b14f3 registers.esp: 1638244 registers.edi: 50665 registers.eax: 27587 registers.ebp: 3994390548 registers.edx: 4294942680 registers.ebx: 1806527472 registers.esi: 5995117 registers.ecx: 352782592	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 83 ec 04 89 14 24 e9 5e 03 00 00 ba 4c 19 ef exception.symbol: advnrno+0x1b72d7 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 1798871 exception.address: 0x5b72d7 registers.esp: 1638240 registers.edi: 5992161 registers.eax: 26601 registers.ebp: 3994390548 registers.edx: 1952683744 registers.ebx: 5972490 registers.esi: 95 registers.ecx: 1971442156	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb e9 00 00 00 00 57 52 ba 70 dd a9 77 89 54 24 exception.symbol: advnrno+0x1b7cbc exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 1801404 exception.address: 0x5b7cbc registers.esp: 1638244 registers.edi: 6018762 registers.eax: 26601 registers.ebp: 3994390548 registers.edx: 1952683744 registers.ebx: 5972490 registers.esi: 95 registers.ecx: 1971442156	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 57 89 04 24 89 0c 24 54 59 81 c1 04 00 00 00 exception.symbol: advnrno+0x1b77c3 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 1800131 exception.address: 0x5b77c3 registers.esp: 1638244 registers.edi: 5995846 registers.eax: 1259 registers.ebp: 3994390548 registers.edx: 1952683744 registers.ebx: 0 registers.esi: 95 registers.ecx: 1971442156	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 55 89 0c 24 54 8b 0c 24 exception.symbol: advnrno+0x1c023e exception.instruction: in eax, dx exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 1835582 exception.address: 0x5c023e registers.esp: 1638236 registers.edi: 5995846 registers.eax: 1447909480 registers.ebp: 3994390548 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 6007814 registers.ecx: 20	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: 0f 3f 07 0b 64 8f 05 00 00 00 00 83 c4 04 83 fb exception.symbol: advnrno+0x1bc599 exception.address: 0x5bc599 exception.module: advnrNo.exe exception.exception_code: 0xc000001d exception.offset: 1820057 registers.esp: 1638236 registers.edi: 5995846 registers.eax: 1 registers.ebp: 3994390548 registers.edx: 22104 registers.ebx: 0 registers.esi: 6007814 registers.ecx: 20	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: ed 81 fb 68 58 4d 56 75 0a c7 85 cd 2b 2d 12 01 exception.symbol: advnrno+0x1bde8c exception.instruction: in eax, dx exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 1826444 exception.address: 0x5bde8c registers.esp: 1638236 registers.edi: 5995846 registers.eax: 1447909480 registers.ebp: 3994390548 registers.edx: 22104 registers.ebx: 2256917605 registers.esi: 6007814 registers.ecx: 10	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: cd 01 eb 00 6a 00 57 e8 03 00 00 00 20 5f c3 5f exception.symbol: advnrno+0x1c331d exception.instruction: int 1 exception.module: advnrNo.exe exception.exception_code: 0xc0000005 exception.offset: 1848093 exception.address: 0x5c331d registers.esp: 1638204 registers.edi: 0 registers.eax: 1638204 registers.ebp: 3994390548 registers.edx: 6042382 registers.ebx: 6042736 registers.esi: 6029312 registers.ecx: 0	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 57 e9 af 04 00 00 f7 d8 35 6f 8f aa 40 29 c7 exception.symbol: advnrno+0x1c3b39 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 1850169 exception.address: 0x5c3b39 registers.esp: 1638244 registers.edi: 5995846 registers.eax: 4294940852 registers.ebp: 3994390548 registers.edx: 2130566132 registers.ebx: 6379 registers.esi: 6073094 registers.ecx: 783399936	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb e9 b2 04 00 00 87 3c 24 5c 68 97 8a ed 36 89 exception.symbol: advnrno+0x1d2a6f exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 1911407 exception.address: 0x5d2a6f registers.esp: 1638240 registers.edi: 6104973 registers.eax: 30757 registers.ebp: 3994390548 registers.edx: 6 registers.ebx: 19315143 registers.esi: 1971262480 registers.ecx: 0	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 57 c7 04 24 41 d0 bb 75 ff 0c 24 ff 0c 24 81 exception.symbol: advnrno+0x1d2b83 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 1911683 exception.address: 0x5d2b83 registers.esp: 1638244 registers.edi: 6135730 registers.eax: 30757 registers.ebp: 3994390548 registers.edx: 6 registers.ebx: 19315143 registers.esi: 1971262480 registers.ecx: 0	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 57 56 be ec a6 ef 0e 55 bd 08 72 69 37 31 ee exception.symbol: advnrno+0x1d2fe4 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 1912804 exception.address: 0x5d2fe4 registers.esp: 1638244 registers.edi: 6107790 registers.eax: 426985 registers.ebp: 3994390548 registers.edx: 6 registers.ebx: 19315143 registers.esi: 0 registers.ecx: 0	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 57 57 c7 04 24 05 00 30 64 89 14 24 89 2c 24 exception.symbol: advnrno+0x1d74c5 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 1930437 exception.address: 0x5d74c5 registers.esp: 1638236 registers.edi: 6107790 registers.eax: 25915 registers.ebp: 3994390548 registers.edx: 1182413601 registers.ebx: 19315143 registers.esi: 0 registers.ecx: 6150154	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 56 68 4f 4c eb 6e 8b 34 24 57 e9 c6 f9 ff ff exception.symbol: advnrno+0x1d799b exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 1931675 exception.address: 0x5d799b registers.esp: 1638236 registers.edi: 6107790 registers.eax: 25915 registers.ebp: 3994390548 registers.edx: 2295881320 registers.ebx: 4294944240 registers.esi: 0 registers.ecx: 6150154	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 81 c1 bb fb df 7f 50 b8 be 72 7e 3f 01 c1 ff exception.symbol: advnrno+0x1d81f7 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 1933815 exception.address: 0x5d81f7 registers.esp: 1638232 registers.edi: 6107790 registers.eax: 30610 registers.ebp: 3994390548 registers.edx: 497714180 registers.ebx: 1991215262 registers.esi: 0 registers.ecx: 6127549	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb e9 cc fc ff ff 5d 2d f4 35 2f 31 29 f0 05 f4 exception.symbol: advnrno+0x1d8910 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 1935632 exception.address: 0x5d8910 registers.esp: 1638236 registers.edi: 6107790 registers.eax: 30610 registers.ebp: 3994390548 registers.edx: 497714180 registers.ebx: 1991215262 registers.esi: 0 registers.ecx: 6158159	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 68 90 9f f7 7d e9 b8 01 00 00 31 f7 e9 38 00 exception.symbol: advnrno+0x1d8840 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 1935424 exception.address: 0x5d8840 registers.esp: 1638236 registers.edi: 6107790 registers.eax: 0 registers.ebp: 3994390548 registers.edx: 497714180 registers.ebx: 1991215262 registers.esi: 2315982952 registers.ecx: 6130559	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb e9 65 ff ff ff 87 14 24 8b 24 24 50 c7 04 24 exception.symbol: advnrno+0x1dca72 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 1952370 exception.address: 0x5dca72 registers.esp: 1638232 registers.edi: 3997737626 registers.eax: 31399 registers.ebp: 3994390548 registers.edx: 2005845531 registers.ebx: 1682186914 registers.esi: 2322090742 registers.ecx: 6144138	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 52 c7 04 24 c3 99 c3 65 89 2c 24 56 51 b9 ec exception.symbol: advnrno+0x1dc4d2 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 1950930 exception.address: 0x5dc4d2 registers.esp: 1638236 registers.edi: 4294939312 registers.eax: 31399 registers.ebp: 3994390548 registers.edx: 2005845531 registers.ebx: 1682186914 registers.esi: 2384936552 registers.ecx: 6175537	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 31 c9 ff 34 19 ff 34 24 8b 14 24 81 c4 04 00 exception.symbol: advnrno+0x1fc1ca exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 2081226 exception.address: 0x5fc1ca registers.esp: 1638204 registers.edi: 272 registers.eax: 30680 registers.ebp: 3994390548 registers.edx: 2130566132 registers.ebx: 6304956 registers.esi: 6270229 registers.ecx: 783351808	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb e9 91 f8 ff ff 81 c1 2c 62 ef 7b 8b 14 24 83 exception.symbol: advnrno+0x1fc4bc exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 2081980 exception.address: 0x5fc4bc registers.esp: 1638204 registers.edi: 272 registers.eax: 30680 registers.ebp: 3994390548 registers.edx: 2345634656 registers.ebx: 6304956 registers.esi: 6270229 registers.ecx: 4294939108	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 68 01 ef 91 6b 89 04 24 55 bd 00 98 eb 77 57 exception.symbol: advnrno+0x1fd329 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 2085673 exception.address: 0x5fd329 registers.esp: 1638200 registers.edi: 272 registers.eax: 31200 registers.ebp: 3994390548 registers.edx: 1687989597 registers.ebx: 6278823 registers.esi: 6270229 registers.ecx: 37396988	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 56 50 c7 04 24 9f 90 7f 7f 81 2c 24 b6 0c ff exception.symbol: advnrno+0x1fd19a exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 2085274 exception.address: 0x5fd19a registers.esp: 1638204 registers.edi: 272 registers.eax: 31200 registers.ebp: 3994390548 registers.edx: 1687989597 registers.ebx: 6310023 registers.esi: 6270229 registers.ecx: 37396988	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 68 65 22 35 76 89 3c 24 e9 00 00 00 00 89 34 exception.symbol: advnrno+0x1fdaf5 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 2087669 exception.address: 0x5fdaf5 registers.esp: 1638204 registers.edi: 1375758944 registers.eax: 31200 registers.ebp: 3994390548 registers.edx: 4294939264 registers.ebx: 6310023 registers.esi: 6270229 registers.ecx: 37396988	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 50 c7 04 24 00 6a e1 4f 89 2c 24 e9 ce fe ff exception.symbol: advnrno+0x1fe666 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 2090598 exception.address: 0x5fe666 registers.esp: 1638200 registers.edi: 404287293 registers.eax: 6283154 registers.ebp: 3994390548 registers.edx: 2038924688 registers.ebx: 2141733862 registers.esi: 6282021 registers.ecx: 0	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 52 50 e9 00 00 00 00 c7 04 24 c2 97 df 7f 5a exception.symbol: advnrno+0x1fe976 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 2091382 exception.address: 0x5fe976 registers.esp: 1638204 registers.edi: 404287293 registers.eax: 6285822 registers.ebp: 3994390548 registers.edx: 0 registers.ebx: 2141733862 registers.esi: 6282021 registers.ecx: 2298801283	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 68 7c ec 78 12 89 3c 24 51 c7 04 24 e4 2c 8f exception.symbol: advnrno+0x1ff76a exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 2094954 exception.address: 0x5ff76a registers.esp: 1638200 registers.edi: 404287293 registers.eax: 29742 registers.ebp: 3994390548 registers.edx: 985653383 registers.ebx: 1753005078 registers.esi: 6282021 registers.ecx: 6286193	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 68 70 be 1a 2f e9 32 01 00 00 56 ff 04 24 5e exception.symbol: advnrno+0x1ff047 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 2093127 exception.address: 0x5ff047 registers.esp: 1638204 registers.edi: 0 registers.eax: 29742 registers.ebp: 3994390548 registers.edx: 1474791767 registers.ebx: 1753005078 registers.esi: 6282021 registers.ecx: 6289459	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb e9 ed 00 00 00 59 81 c4 04 00 00 00 81 ef 54 exception.symbol: advnrno+0x203bc5 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 2112453 exception.address: 0x603bc5 registers.esp: 1638200 registers.edi: 6304701 registers.eax: 32882 registers.ebp: 3994390548 registers.edx: 6304043 registers.ebx: 65804 registers.esi: 6282021 registers.ecx: 1969225870	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 81 ec 04 00 00 00 89 14 24 c7 04 24 63 31 b7 exception.symbol: advnrno+0x203797 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 2111383 exception.address: 0x603797 registers.esp: 1638204 registers.edi: 6337583 registers.eax: 32882 registers.ebp: 3994390548 registers.edx: 6304043 registers.ebx: 65804 registers.esi: 6282021 registers.ecx: 1969225870	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 68 e8 e2 b8 4b 89 2c 24 c7 04 24 e1 26 be 77 exception.symbol: advnrno+0x203421 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 2110497 exception.address: 0x603421 registers.esp: 1638204 registers.edi: 6337583 registers.eax: 32882 registers.ebp: 3994390548 registers.edx: 6304043 registers.ebx: 65804 registers.esi: 703962509 registers.ecx: 4294937400	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 51 56 be a8 90 bd 7f 89 74 24 04 5e e9 4b ff exception.symbol: advnrno+0x206173 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 2122099 exception.address: 0x606173 registers.esp: 1638200 registers.edi: 6337583 registers.eax: 26904 registers.ebp: 3994390548 registers.edx: 6315632 registers.ebx: 4373001 registers.esi: 703962509 registers.ecx: 78271905	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 29 ff ff 34 17 e9 4e 04 00 00 29 fa 5f 03 14 exception.symbol: advnrno+0x20609b exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 2121883 exception.address: 0x60609b registers.esp: 1638204 registers.edi: 6337583 registers.eax: 26904 registers.ebp: 3994390548 registers.edx: 6342536 registers.ebx: 4373001 registers.esi: 703962509 registers.ecx: 78271905	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb b8 b6 ef a3 55 35 53 c5 d9 6b 83 e8 ff 2d ff exception.symbol: advnrno+0x206832 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 2123826 exception.address: 0x606832 registers.esp: 1638204 registers.edi: 4294942988 registers.eax: 26904 registers.ebp: 3994390548 registers.edx: 6342536 registers.ebx: 798066360 registers.esi: 703962509 registers.ecx: 78271905	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 2d 68 ed f3 3f 03 04 24 57 bf 2a bf 83 7e 57 exception.symbol: advnrno+0x20751e exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 2127134 exception.address: 0x60751e registers.esp: 1638200 registers.edi: 4294942988 registers.eax: 6318746 registers.ebp: 3994390548 registers.edx: 2081289632 registers.ebx: 890735569 registers.esi: 703962509 registers.ecx: 78271905	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 68 c8 40 64 51 89 0c 24 57 54 e9 89 03 00 00 exception.symbol: advnrno+0x206da7 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 2125223 exception.address: 0x606da7 registers.esp: 1638204 registers.edi: 4294942988 registers.eax: 6346682 registers.ebp: 3994390548 registers.edx: 2081289632 registers.ebx: 890735569 registers.esi: 703962509 registers.ecx: 78271905	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb e9 46 fd ff ff 47 81 ef ef 69 c6 3f 50 b8 04 exception.symbol: advnrno+0x2070ac exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 2125996 exception.address: 0x6070ac registers.esp: 1638204 registers.edi: 4294942988 registers.eax: 6346682 registers.ebp: 3994390548 registers.edx: 2081289632 registers.ebx: 890735569 registers.esi: 4294942072 registers.ecx: 157417	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 57 89 e7 81 c7 04 00 00 00 50 68 74 d7 44 10 exception.symbol: advnrno+0x2089f0 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 2132464 exception.address: 0x6089f0 registers.esp: 1638204 registers.edi: 3939837675 registers.eax: 30856 registers.ebp: 3994390548 registers.edx: 1429643705 registers.ebx: 493825248 registers.esi: 0 registers.ecx: 6326832	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 55 89 e5 50 83 ec 04 89 14 24 ba a9 5b c0 6a exception.symbol: advnrno+0x2128bb exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 2173115 exception.address: 0x6128bb registers.esp: 1638204 registers.edi: 6327693 registers.eax: 26966 registers.ebp: 3994390548 registers.edx: 2130566132 registers.ebx: 2147483650 registers.esi: 6393227 registers.ecx: 783351808	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 51 89 14 24 53 bb ad 10 fb 6f 81 c3 b3 f0 67 exception.symbol: advnrno+0x212802 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 2172930 exception.address: 0x612802 registers.esp: 1638204 registers.edi: 6327693 registers.eax: 322689 registers.ebp: 3994390548 registers.edx: 0 registers.ebx: 2147483650 registers.esi: 6369159 registers.ecx: 783351808	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 68 97 5e 31 20 89 3c 24 e9 7a fb ff ff 49 81 exception.symbol: advnrno+0x21cfe0 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 2215904 exception.address: 0x61cfe0 registers.esp: 1638204 registers.edi: 6167058 registers.eax: 29513 registers.ebp: 3994390548 registers.edx: 6167035 registers.ebx: 6392129 registers.esi: 9748460 registers.ecx: 6438288	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 52 50 89 e0 e9 87 04 00 00 01 f1 e9 89 00 00 exception.symbol: advnrno+0x21cb15 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 2214677 exception.address: 0x61cb15 registers.esp: 1638204 registers.edi: 604292950 registers.eax: 29513 registers.ebp: 3994390548 registers.edx: 6167035 registers.ebx: 4294941036 registers.esi: 9748460 registers.ecx: 6438288	1
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: fb 52 89 e2 53 bb bb 83 ff 6f 81 eb b7 83 ff 6f exception.symbol: advnrno+0x22b306 exception.instruction: sti exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 2274054 exception.address: 0x62b306 registers.esp: 1638200 registers.edi: 6468066 registers.eax: 30863 registers.ebp: 3994390548 registers.edx: 582600 registers.ebx: 6413173 registers.esi: 6413169 registers.ecx: 783351808	1

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://steamcommunity.com/profiles/76561199832267488

Performs some HTTP requests (1 event)

request

GET https://steamcommunity.com/profiles/76561199832267488

Allocates read-write-execute memory (usually to unpack itself) (34 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7793f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x778b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 61440 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00401000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04370000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04380000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04390000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04540000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04550000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04560000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04580000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x045f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 24, 2025, 1:32 p.m.	process_identifier: 652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x043b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

advnrNo.exe tried to sleep 1088 seconds, actually delayed analysis time by 1088 seconds

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x0000ec00', u'virtual_address': u'0x00001000', u'entropy': 7.985448842044809, u'name': u' \\x00 ', u'virtual_size': u'0x00026000'}

entropy

7.98544884204

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x0019d400', u'virtual_address': u'0x002c5000', u'entropy': 7.952839297763393, u'name': u'ycjszivj', u'virtual_size': u'0x0019e000'}

entropy

7.95283929776

description

A section with a high entropy has been found

entropy

0.993039443155

description

Overall entropy of this PE file is high

Expresses interest in specific running processes (1 event)

process

system

Communicates with host for which no DNS query was performed (1 event)

host

95.216.179.65

Checks for the presence of known devices from debuggers and forensic tools (3 events)

file	\??\SICE
file	\??\SIWVID
file	\??\NTICE

Checks for the presence of known windows from debuggers and forensic tools (50 out of 341 events)

Time & API	Arguments	Status	Return	Repeated
FindWindowA March 24, 2025, 1:32 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: RegmonClass window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: #0 window_name: Registry Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: FilemonClass window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: #0 window_name: File Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: #0 window_name: Process Monitor - Sysinternals: www.sysinternals.com		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: 18467-41 window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: Filemonclass window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: PROCMON_WINDOW_CLASS window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: OLLYDBG window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: GBDYLLO window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: pediy06 window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: Regmonclass window_name:		0	0
FindWindowA March 24, 2025, 1:32 p.m.	class_name: 18467-41 window_name:		0	0

Checks the version of Bios, possibly for anti-virtualization (2 events)

registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion
registry	HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (2 events)

process	advnrNo.exe				useragent
process	advnrNo.exe				useragent	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:135.0) Firefox/135.0

Detects VMWare through the in instruction feature (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 24, 2025, 1:32 p.m.	stacktrace: exception.instruction_r: ed 64 8f 05 00 00 00 00 55 89 0c 24 54 8b 0c 24 exception.symbol: advnrno+0x1c023e exception.instruction: in eax, dx exception.module: advnrNo.exe exception.exception_code: 0xc0000096 exception.offset: 1835582 exception.address: 0x5c023e registers.esp: 1638236 registers.edi: 5995846 registers.eax: 1447909480 registers.ebp: 3994390548 registers.edx: 22104 registers.ebx: 1971327157 registers.esi: 6007814 registers.ecx: 20	1	0	0

File has been identified by 45 AntiVirus engines on VirusTotal as malicious (45 events)

Bkav	W32.AIDetectMalware
Lionic	Trojan.Win32.Themida.i!c
tehtris	Generic.Malware
Cynet	Malicious (score: 99)
Skyhigh	BehavesLike.Win32.Themida.tc
ALYac	Trojan.GenericKDZ.110452
Cylance	Unsafe
VIPRE	Trojan.GenericKDZ.110452
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKDZ.110452
Arcabit	Trojan.Generic.D1AF74
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of Win32/Packed.Themida.HZB
APEX	Malicious
Avast	Win32:Evo-gen [Trj]
Kaspersky	VHO:Trojan-PSW.Win32.Vidar.gen
Alibaba	Packed:Win32/Themida.a5ab3ce1
MicroWorld-eScan	Trojan.GenericKDZ.110452
Rising	Trojan.Agent!1.1293E (CLASSIC)
Emsisoft	Trojan.GenericKDZ.110452 (B)
F-Secure	Trojan.TR/Crypt.TPM.Gen
McAfeeD	Real Protect-LS!84408FE8F267
Trapmine	malicious.high.ml.score
CTX	exe.trojan.generickdz
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.84408fe8f2675bd4
Google	Detected
Avira	TR/Crypt.TPM.Gen
Kingsoft	malware.kb.b.996
Gridinsoft	Trojan.Heur!.038120A1
GData	Trojan.GenericKDZ.110452
Varist	W32/Themida.DA.gen!Eldorado
AhnLab-V3	Trojan/Win.MalwareX-gen.R693677
DeepInstinct	MALICIOUS
Ikarus	Trojan.Win32.Themida
Panda	Trj/Genetic.gen
Zoner	Probably Heur.ExeHeaderL
TrendMicro-HouseCall	Trojan.Win32.VSX.PE04C9V
Tencent	Win32.Trojan.Generic.Qqil
MaxSecure	Trojan.Malware.121218.susgen
Fortinet	W32/Themida.HZB!tr
AVG	Win32:Evo-gen [Trj]

advnrNo.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All